[Python-Dev] XML DoS vulnerabilities and exploits in Python (original) (raw)
Christian Heimes christian at python.org
Thu Feb 21 00:23:52 CET 2013
- Previous message: [Python-Dev] XML DoS vulnerabilities and exploits in Python
- Next message: [Python-Dev] XML DoS vulnerabilities and exploits in Python
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Am 20.02.2013 23:56, schrieb Fred Drake:
While I'd hate to make XML processing more painful than it often is, there's no injunction not to be reasonable. Security concerns and resource limits are cross-cutting concerns, so it's not wrong to provide safe defaults.
Doing so will be backward incompatible, and I'm not sure there's a good way to gauge the extent of the breakage.
We could walk a different path but that would keep Python's XML libraries in an insecure mode by default.
My latest patch to expat and pyexpat supports global default values. The global defaults are used when a new parser is created with pyexpat.ParserCreate(). It's also possible to disable the new limitations in expat by default.
We can add a function to the XML package tree that enables all restrictions:
- limit expansion depths of nested entities
- limit total amount of expanded chars
- disable external entity expansion
- optionally force expat to ignore and reset all DTD information
3rd party users have to disable secure settings explicitly for the current interpreter (although expat limits are process wide and shared across subinterpreters).
try: import xml.security except ImportError:
old Python
pass else: xml.security.harden_xml_parser()
I guess most programs either process untrusted XML input or large XML documents that require expansion and DTD validation.
Christian
- Previous message: [Python-Dev] XML DoS vulnerabilities and exploits in Python
- Next message: [Python-Dev] XML DoS vulnerabilities and exploits in Python
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]